Random Thoughts – Randocity!

Yahoo: When recycling is not a good idea

Posted in botch, business, california, Yahoo by commorancy on July 17, 2013

Yahoo JailAfter Marissa Mayer’s team recently decimated Flickr with its new gaudy and garish interface and completely alienated professional photographers in the process, her team is now aiming its sights on a new, but unnecessary, problem: recycling of long expired user IDs. Yahoo had been collecting user IDs for years. That is, people sign up and use the account for a while, then let the account lapse without use for longer than 30 days.  Yahoo marks the ID as ‘abandoned’ (or similar) and then locks it out forever, until now. Some employee at Yahoo offered up the incredibly bad idea to recycle IDs. Unfortunately, this decision to recycle IDs may actually become the demise of Yahoo. Let’s explore.

Recyclables

I’m guessing that Yahoo has decided to make it look like it’s doing something good by recycling something, anything. That is, Yahoo is now letting people Wishlist long-closed user IDs that had been previously locked. Hurry, though, you only have until Aug 7, 2013 to wishlist that long forgotten ID. The trouble is, these old abandoned IDs are clearly second-hand goods. Let’s understand what exactly that means and why you really don’t want one (unless, of course, it was previously yours).

1) Obviously… Spam

Clearly, you aren’t asking for this old ID so you can jump onto that horrendous new Flickr interface or because you intend to read Yahoo News or OMG. The most obvious reason to want that ‘primo’ ID is for the email address. Unfortunately, you have no idea how that account was formerly used or what baggage might be associated with it! So, unfortunately, you will have no idea what exactly you’re getting into by re-using someone’s old ID. The person might have signed up for it just to divert tons of spam into it. Yes, this happens. That means, you could open the account and find it filled with spam in only 5-10 minutes, literally. Who’s to say someone wasn’t using it for illegal purposes and it was shut down for that purpose?

Yeah yeah.. Yahoo claims they will ‘unsubscribe’ the old ID from newsletters and so forth and these will have been ‘idle’ for at least 12 months (the first batch), but they’ve outlined no way in which they plan to accomplish this unsubscribe piece. Are they really going to hire a bunch of people to sit around clicking unsubscribe links and filling out unsubscribe forms?  I think not. It’s all song and dance with no substance. Not to mention unsubscribing legitimate email subscriptions only accounts for about half (or less) of the total email volume that ends up in an inbox.  So, don’t expect any miracles from Yahoo. If they can stop email, the best they can stop is about 40-50% at most.  All of the rest will still show up merely by you having signed into your ‘new’ account.

A new email header?

Oh yeah, Yahoo is also trying to rush through the IETF RFC process a new header called require-recipient-valid-since that takes a date as an argument.  This header basically requires marketers to know the exact acquisition date of every email address in their lists. Assuming email marketers know this date, which is a huge and incorrect assumption for Yahoo to make, when the email marketers send email containing this date, the email will supposedly end up in the correct account (or not) depending on the date.  Because of this date header, that could lead real email to go missing or spam to show up. Unfortunately, as I said, this is an incorrect assumption. Most email marketers barely know the source of their leads, let alone when they acquired it. No, this date thing simply won’t work. And even then, this header will only work with email marketers willing to follow the rules. Spammers that don’t care won’t bother.

Worse, Yahoo is planning on handing out these newly freed old accounts in mid-August. Like every email marketing firm will simply drop whatever business plans they currently have to retool their applications to support this rushed and nearly useless header. Is Yahoo really that asleep at the switch?

2) Fraud, Account and/or Identity Theft

If you happened to have owned one of these long abandoned accounts or you otherwise lost your Yahoo account long ago, you’ll want to be very careful here. You can be guaranteed that there are already people scouting for popular long dead accounts to resurrect and phish for accounts, theft and identities. These thieves know that banks and other legacy institutions keep email addresses on file until you explicitly change them. Even then, they can have issues even updating this information in their systems even when you do request the change.  So, someone who obtains a long dead account and then browses to Wells Fargo or Bank of America’s web site to request a password reset, they could abscond with your account credentials and your money assuming you still have (or ever had) any old Yahoo accounts hooked up to any financial accounts.

Yahoo claims to have ‘security’ mechanisms planned, but good luck with relying on that. I can’t even see that working. Granted, if banks fill in ‘require-recipient-valid-since’ with the appropriate acquisition date in every email they send, the banks can help prevent this issue (assuming the header works as expected).  But, that also assumes the bank has an email address acquisition date to fill in this header. That also assumes that the bank can even roll out this header change in the time allotted before Yahoo starts doling these old IDs out. The clock is ticking and Yahoo hasn’t even gotten the RFC completed.

Fraud and identity theft is a very likely outcome of recycling old Yahoo accounts. If you’re reading this article and you have ever used a now-long-closed Yahoo ID for email, I urge you to go through all of your important accounts and make sure you have deleted all references to your old Yahoo email address immediately! Otherwise, some random person could come to own your old ID and can then cycle through sites requesting password resets just to find what sites your old ID may have used.  This is the number one security threat that Yahoo can’t easily get around or easily address. Note, that a hacker who obtains an old ID only needs to get access to one of your accounts that will email your real plaintext password back to them and then they’ll work their way up to your bigger accounts.  This is one of the biggest reasons this is an incredibly bad idea from Yahoo.

I’d also suggest that for any accounts you do have (i.e., Facebook, Gmail, etc), make sure to add alternative email addresses other than your Yahoo address for password resets and other security related emails. If you can, remove all your Yahoo addresses outright even if they are live.  Use Gmail or Windows Live Mail instead (at least until they decide to go down this stupid ID recycling road).

3) Yahoo Mistakes

Ooops.. we didn’t actually intend to give away your live account. Sorry, ’bout that.

And then you’re stuck without an account. Yahoo is not publishing what accounts are under consideration specifically.  They only say that these ‘dead accounts’ have been idle longer than 12 months in the first batch. Thereafter, any account that has been not accessed for 30 days is up for reissue consideration. There is nothing to say that Yahoo won’t make a mistake and re-issue a live and active account to some random person wbo signed up on the Wishlist. I can easily see this becoming one of the biggest blunders that Yahoo makes in this process. Unless the Yahoo staff is incredibly careful with this process, it would be super easy to accidentally give some random schmo access to an active live Yahoo account by mistake.  For this reason alone, I’d consider closing out all of my Yahoo accounts except for one thing. They would recycle my account string name in 12 months (0r 30 days) and I’d be right back here in this situation again worrying about what of my other accounts were tied to this email address.

Basically, I can’t close my Yahoo account because it’s too great of a security risk.  If I leave it open, I risk Yahoo accidentally giving it away in this stupid ‘wishlist’ process.  It’s really a no-win situation. After Flickr, I have less and less trust in Yahoo and this is now leaving every Yahoo user in the lurch.  This basically means you can NEVER EVER close your active Yahoo account if you want to keep your other accounts secure.

4) Missing Email

Even if you do manage to get your hands on one of these ‘prized’ IDs, Yahoo claims to be putting technical measures into place to prevent security issues.  That could very well mean that for recycled accounts your mail delivery will be spotty, if it even works. Meaning, Yahoo may so heavily scrutinize emails heading to these recycled IDs that legitimate mail may simply never show up that’s been marked as ‘a security risk’.  So, for emails like password resets to accounts, you may find that these emails simply never show up at all.  Basically, anything that Yahoo’s email system construes as a security risk could simply just go missing. This is the most likely outcome of this recycling. Note that this problem could end up extending to every Yahoo account which could make Yahoo Mail a very problematic place for any email purposes.

Excess Baggage?

If after reading the above, you are still considering an ‘old used account’, I really can’t understand why. Taking on someone else’s old email and Yahoo baggage isn’t something I’d want to deal with (are they going to be sure to clear off all old comments and Yahoo answers for this old ID?). So, someone pops up from years past not knowing that Yahoo ID has been reissued and then you get some old boyfriend email, or someone who hated the previous owner of that ID.  Then what? So, then you’ll be left with a mess to clean up. Why would you want to deal with this excess baggage when you can get a new account that’s never been issued and not have to deal with this problem at all? However, knowing that any account you create at Yahoo would be recycled later, how could you rely on it for any kind of security?  You can’t.  So, I might suggest Gmail or Windows Live Mail (or any other free email service not recycling IDs) instead of Yahoo.

Alternatives?

Unfortunately, I don’t see any other alternatives with Yahoo at this point.  This is an incredibly stupid decision from Yahoo. I have no idea what the folks at Yahoo are even thinking. It’s not like a telephone number. You give that up and no one thinks twice that someone could use that old phone number nefariously.  Unfortunately, nearly every site now uses email addresses to know if you ‘own’ your accounts. So, password resets, pin codes, and all manner of secure information traverses through email addresses.

One thing that Yahoo may inadvertently cause from this change is for Banks and other financial institutions to rethink how they validate a user’s identity. Clearly with this change, email addresses can no longer be trusted as secure or even know that it’s owned by only one person.  This throws security surrounding email addresses into complete turmoil for any site that uses email addresses as validation.

Based on the previous paragraph, sites may start preventing use of @yahoo.com email addresses for their services. Knowing that you could lose your Yahoo account and then have it turned over to someone else 30 days later could easily lead to site compromises. To simply avoid this situation entirely, sites that rely on security may simply stop letting @yahoo.com email addresses sign up for service. So, one of the biggest benefits of using Yahoo Mail will end. I’d expect a mass exodus to Gmail or Windows Live Mail after the dust settles here. In fact, this decision may kill Yahoo Mail as any kind of a real email service. Does Marissa have any idea what the hell she’s doing?  If I were on the Yahoo board, I’d be seriously considering right about now of ousting this one.

If I were in a position at Yahoo to make this decision, I would have killed this idea before I’d ever left the conference room. That Yahoo is even contemplating making this move at this time is completely questionable. Let’s just hope that when someone’s account is compromised and/or has identity theft as a direct result of this bad Yahoo decision, that someone will sue the pants off of Yahoo.  That will at least teach other ISPs that this is not, in any way, an acceptable practice.

Risky Business

This decision has disaster written all over it. This is also a huge liability risk for Yahoo. Yes, Yahoo may have written in their Terms and Conditions that they have the right to reissue account names.  But, since they hadn’t been doing this from the beginning and they’re now choosing to do this without proper preparations, this is a huge legal risk.  It only takes a handful of users who’s accounts get compromised or who’s identities get stolen as a result of Yahoo’s new policy that this will end in courtroom dates. I can’t even fathom what benefit Yahoo derives from reissuing old IDs, but I can definitely see huge legal liabilities and black clouds looming over this now floundering company. In fact, the liabilities so outweigh the potential benefits to Yahoo, I have to completely question the purpose of this decision.  Let’s hope Yahoo is all lawyered up as I can see the court dates piling up from this very very bad decision.

Tagged with: , ,

Microsoft Surface: Why Windows is not ready for a tablet

Posted in botch, microsoft, redmond by commorancy on July 4, 2013

Microsoft SurfaceMicrosoft always tries to outdo Apple, but each time they try they end up with a half-baked device that barely resembles what Apple offers. Worse, the device barely even understands the purpose of why Apple created their product in the first place or even what space it fills in the market. But, leave it to Microsoft to try. Let’s begin.

Microsoft Surface

I’ve recently come into contact with a Microsoft Surface tablet. Let’s just dive right into the the heart of the problems with this platform. Windows and a touch surface are simply not compatible, yet. Why? We have to understand Window 8. For the release of Windows 8, Microsoft introduced Metro. This interface is a big tile based interface that is, more or less, touch friendly. It’s the interface that was adopted for use on both the Xbox 360 and Windows phones. The difference between Windows phone / Xbox 360 and Windows 8 is that you can’t get to the underlying Windows pieces on the Xbox 360 and Windows phone (and that’s actually a good thing). With Windows 8 on a tablet, unfortunately, you can. In fact, it forces you to at times. And, here’s exactly where the problems begin.

Windows 8 under the hood is basically Windows 7 slightly repackaged. What I mean is that Windows 8 is essentially Windows 7 when not using Metro. So, the window close button and resize button are the same size as Windows 7, the icons are the same size, the tiny little triangle next to a folder hierarchy is the same size. Easily clickable with a mouse. Now, imagine trying to activate one of those tiny little icons with a tree trunk. You simply can’t target these tiny little icons with your finger. It’s just not touch friendly. That’s exactly the experience you get when you’re using the Windows 8 desktop interface. When trying to press the close button on the Window, yet you might have to press on the screen two, three or four times just to hit the tiny little control just to make it activate. It’s an exercise in futility and frustration.

Metro and Windows

Metro is supposed to be the primary interface to drive Microsoft Surface. However, as soon as you press some of the tiles, it drops you right into standard Windows desktop with icons, start button and all. When you get dropped into this interface, this is exactly where the whole tablet’s usefulness breaks down. Just imagine trying to use a touch surface with Windows 7. No, it’s not pretty. That’s exactly what you’re doing when you’re at the Windows 8 desktop. It’s seriously frustrating, time consuming and you feel like a giant among Liliputians.

No, this interface is just not ready for a touch surface. At least, not without completely redesigning the interface from the ground up… which, in fact, is what I thought Metro would become. But no, many of the activities on the Metro screen take you out of Metro. This is the breakdown in usability. For a tablet OS, Metro should be it.  There should be no underlying Windows to drop down to. If you can’t do it Metro, it cannot be done!

A Tablet is not a home computer, Microsoft!

The offering up multiple interfaces to the operating system is the fundamental design difference between IOS and Windows 8. Microsoft would have been smarter to take Windows phone OS and place that operating system straight onto Windows Surface. At least that operating system was completely designed to work solely with touch screen using 100% Metro. That would have been at least more along the lines of what Surface should have been. Instead, Microsoft decides to take the entire Windows 8 operating system and place it onto the tablet, touch-unfriendly and all. Is anyone actually thinking in Redmond?

In addition, putting full versions of Word, Powerpoint and Excel on Windows Surface might seem like a selling point, but it isn’t. The point to the iPad is to provide you with small lightweight applications to supplement what you use on a full computer. Or, better, Cloud versions of the apps. I understand the thinking that having a full computer as a tablet might be a good idea, but it really isn’t. Tablets are way too under powered for that purpose. That’s why notebooks and desktops are still necessary. The size of the processors in flat tablet devices just aren’t powerful enough to be useful for full-sized apps.  That’s the reason why the iPad is the way that it is.  Apple understands that an A6 processor is not in any way close to a full quad core i7 processor. So, the iPad doesn’t pretend to be a full computer knowing that it can’t ever be that. Instead, it opts to provide smaller light weight apps that allow simple communication, entertainment and apps that an A6 is capable of handling within the constraints of the limited ram and storage. That’s why IOS works on the iPad and why Windows 8 doesn’t work on Microsoft Surface.

Herky Jerky Motion

One of the other problems I noticed is that when you’re dragging around Metro’s interface and transitioning between Windows 8 desktop apps and back into Metro, there is this annoying stuttering jerky motion the screen does.  It appears that this was an intentional design and not the graphics card going haywire. I’m not sure why this was let out of Redmond this way. Just from that problem alone, I first thought that Microsoft Surface tablet was having a problem. Then I realized that it wasn’t a tablet hardware problem. Indeed, that problem was inherent within Windows 8 and Metro.  If you’re planning to offer a dragging, fading, transitioning experience, make it smooth. That means, no jerky shaky transitions.  It makes the device seem under powered (it probably is). At the same time, it makes Windows look antiquated and unpolished (it definitely is).

Multiple Revisions

Microsoft always takes two or three product iterations before it settles into a reasonably solid, but second rate, product format. With the exception of the original Xbox, I don’t know of any single device that Microsoft has gotten right on the first try. It was inevitable that they would get the Microsoft Surface tablet wrong. If you’re looking to get into Windows 8, I’d suggest just going for a notebook outright. You’ll get more for your bang for the buck and you’ll have a much more usable Windows 8 experience.

I really wanted to like Windows Surface, but these fundamental problems with Windows prevent this tablet from being anything more than a clunky toy. The iPad actually has a use because the icons and screen elements are always big enough to tap no matter the size of the device. This is one of things that Apple fully understands about touch surfaces.  Although, Apple could do with some nuanced improvements to touch usability.  Unfortunately, when you get to the Windows 8 desktop interface, it’s a complete chore to control it via touch. I just can’t see buying a Windows Surface first version tablet. It tries to be too many things, but fails to be any of them.

Microsoft, figure it out!

%d bloggers like this: